Nagios XI Tools and Views External Links (not loading)

[NathanS]

Up until one of the more recent updates (in the last 3 months or so) our external links worked fine. Now anything linked outside of our Nagios host that we try to use in either a Tool page or in a View refuse to load. The following are some of the errors I've noted in my browser console, but I'm not sure if this is normal behavior.

Refused to display 'https://www.youtube.com/user/nagiosvideo' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Mixed Content: The page at 'https://nagios.regulusgroup.net/nagiosx ... /index.php?' was loaded over HTTPS, but requested an insecure resource 'http://[URL Snipped]'. This request has been blocked; the content must be served over HTTPS.

Refused to display 'https://[URL Snipped]'in a frame because it set 'X-Frame-Options' to 'DENY'.

[bwallace]

All of theses messages/errors (not really errors though) stem from your browser(s) and in the case of the 'DENY" perhaps from the webpage author. I don't know why this suddenly began however, as the 'SameOrigin" policy has been around for a very long time. The links below will explain it better than I, and should also show you what modifications you'll need to make:


Mixed Content: The page at was loaded over HTTPS, but requested an insecure resource ___ This request has been blocked; the content must be served over HTTPS.

https://developers.google.com/web/funda ... d-content/
Mixed content refers to a webpage where the initial HTML content is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are then loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.

https://developers.google.com/web/funda ... tent?hl=en
----------------------------------------------------------------------------------------------
Refused to display ___ in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

https://en.wikipedia.org/wiki/Same-origin_policy
http://security.stackexchange.com/quest ... on-iframes
http://programmers.stackexchange.com/qu ... gin-policy
------------------------------------------------------------------------------------------------
Refused to display ___ in a frame because it set 'X-Frame-Options' to 'DENY'.

DENY -- The page cannot be displayed in a frame, regardless of the site attempting to do so.
http://stackoverflow.com/questions/6666 ... me-options

[NathanS]

I understand that browsers can certainly affect what's allowed/disallowed via iframes, but I'm seeing these issues when when I drop security in IE to low, and similarly added any and all applicable exceptions in chrome with no change in behavior. My httpd.conf isn't specifying a Header X-Frame-Options anywhere (and neither is anything under conf.d).

For reference, I can't even get a https://www.google.com search page to show in the iframe. I just get errors on my browser console and an empty iframe section with no content.

I understand that iframes have always been a security concern, but this seems like a well documented "feature" for nagios xi that if I'm seeing normal behavior ends up feeling quite limited.

[tmcdonald]

Unless I am missing something it seems you are logging in to the HTTP web interface for XI and not using SSL/HTTPS. Do you get the same errors when using HTTPS instead?

[NathanS]

We use HTTPS and redirect HTTP, and use the suggested rewrite rules in the docs (apache).

I can't display http sites in the iframes, regardless of how I set my browser, and it seems MOST https sites complain about headers, which I would have thought should work. Now, it's possible that the main site I was linking to before that worked has changed their policies (youtube), it just seems more than a little odd that it not working seemed to correlate exactly with an upgrade to nagios.

[tmcdonald]

I found some other references to YouTube embedding specifically:

http://stackoverflow.com/questions/2566 ... frame-opti
http://stackoverflow.com/questions/1813 ... sameorigin

So in this case I think it is just the luck of the draw on the URL you are using. If you try one of the links referenced in the article as a test, does it work?